DistroWatch Weekly

A weekly opinion column and a summary of events from the distribution world

DistroWatch Weekly

DistroWatch Weekly, Issue 552, 31 March 2014

Welcome to this year's 13th issue of DistroWatch Weekly!
One of the nice aspects of open source is that established projects act as a foundation for new projects. Debian acts as a base for many projects, including Ubuntu. Other projects grow and branch out from Ubuntu and the family tree continues from there. This week we focus on two distributions which are relatively new additions to the Debian family tree, yet are making good progress in their quest to become usable, stable operating systems. We start with Tanglu, a Debian-based project which focuses on being a friendly, desktop-oriented operating system. In our News section this week we talk about the Ubuntu GNOME project, a distribution which has been seeking long term support status. We also link to a resource for people who wish to improve their on-line security and privacy. Plus we cover SliTaz's new ARM port along with PC-BSD's upgrade issues. Our Tips and Tricks section this week also talks about a useful security feature for multi-user systems. As usual, this week we look back on the releases of the past week and look ahead to exciting developments to come. We wish you all a pleasant week and happy reading!

The Tanglu distribution is a Debian-based project which uses software packages from Debian's Testing, Unstable and Experimental branches. The project has a focus on being a beginner friendly desktop operating system with a regular time-based release cycle (as opposed to Debian's "release when ready" release cycle). The Tanglu project, which gets its name from combining the words "tangerine" and "igloo", is currently available in two editions, KDE and GNOME. Both of these editions can be downloaded in 32-bit and 64-bit x86 builds. I opted to try the KDE edition of Tanglu as the GNOME edition is still considered experimental.

The ISO for the KDE edition of Tanglu is approximately 1GB in size and booting from the live media brings us to a KDE 4 desktop. The user interface is presented in the traditional manner with the application menu, task switcher and system tray placed at the bottom of the display. Icons for browsing the file system sit on the desktop. Looking through the application menu I found the project's system installer.

Tanglu appears to be using the same graphical system installer as the Linux Mint Debian Edition distribution uses and, as I covered the install process for Linux Mint Debian Edition last week, I will keep this part of the review brief. The installer quickly and cleanly walked me through selecting my preferred language, choosing my time zone and confirming my keyboard's layout. The installer helped me create a user account, offered to set up partitions for me automatically and then asked where it should install the GRUB boot loader. The installer progressed smoothly and I encountered no problems. When it was finished copying its files to my local hard drive I was prompted to reboot the computer.

Booting the Tanglu distribution brings us to a graphical login screen. Once I signed in I was presented with the KDE desktop. Minor visual effects were enabled, but otherwise the interface was subtle with no distracting pop-ups or welcome screen. The desktop was fairly responsive, neither remarkably fast nor slow.

Shortly after getting Tanglu up and running I started wondering about security updates. The distribution uses the Apper graphical package manager for updating and manipulating software. Apper lets us check for updates and browse categories of software packages. Within these categories we are shown lists of packages and we can then queue these packages for installation or removal with the click of a button. Apper processes batches of actions, temporarily locking the interface while it works. For the most part Apper functioned well for me, the exception being when I checked for package upgrades. When I checked for software upgrades the package manager would download repository data and then hang. A little investigating revealed that PackageKit was running in the background, using all available CPU cycles. PackageKit would churn non-stop, apparently locked in a loop, and it prevented Apper from completing its tasks. This has happened to me before, PackageKit often misbehaves, and I found killing the PackageKit process allowed Apper to get back to work, downloading and applying security updates. Tanglu, I found, uses its own software repositories. The distribution may pull packages from Debian, but they are maintained in a separate Tanglu software repository.

Digging through the distribution's application menu I found Tanglu ships with the Firefox web browser, the KMail e-mail client and the Konversation IRC software. A remote desktop application, document viewer and image viewer were also included. I found the LibreOffice productivity suite was installed by default along with the Amarok audio player, the VLC multimedia player and the Dragon Player video player. The Kamoso webcam utility was present along with an archive manager, virtual calculator, text editor and screen magnifier. Tanglu supplies Network Manager and the KPPP dial-up software to help us get on-line. I found multimedia codecs were present and I could play a variety of media files. Flash support and Java were both missing, though I found Java and Flash in the project's software repositories. In the background Tanglu runs on the Linux kernel, version 3.12.

I tried running Tanglu on a desktop computer and in a virtual machine powered by VirtualBox. In both environments Tanglu performed well. On the physical hardware my display was set to its maximum resolution, sound worked and a network connection was automatically enabled. The distribution is fairly light on resources. I found Tanglu ran fairly quickly, not setting any speed records, but holding up well against whatever I threw its way. When logged into the KDE desktop I found the distribution used approximately 170MB of RAM, a conservative amount for a Linux distribution running KDE.

After playing with Tanglu for a while I have to say, for a project that has just hit its 1.0 milestone, the distribution is surprisingly solid. I would normally expect an early release to have more rough edges and less coordination. I was especially concerned with the project's use of packages from Debian's Unstable and Experimental branches, but Tanglu remained stable throughout my time with the distribution. The only serious bug I ran into was with PackageKit and its habit of preventing the Apper package manager from working. However, with PackageKit disabled, the distribution performed well. Tanglu has a small memory footprint, works fairly quickly, comes with most of the software I want in a desktop operating system and provides many more packages via the project's repositories.

What I found especially interesting was comparing this week's trial with Tanglu against last week's experiment with Linux Mint Debian Edition. The two projects have a similar base (Debian), have similar goals (better desktop experience, regular release cycles and some extra non-free bits to improve the end-user experience) and they even use the same system installer. A month ago, had I been asked which distribution would offer the better experience, the veteran Mint project with its record of strong showings in my past reviews or a new distribution called Tanglu, I would have felt the deck was stacked in Mint's favour. However, while my experience with Mint's Debian-based edition was peppered with various minor issues, my time with Tanglu was pleasantly boring. The distribution tended to work quietly and without fuss and, the problem with PackageKit aside, Tanglu didn't offer me any problems.

At this point my only real concern with Tanglu isn't a technical one, but a matter of the project's goals and direction. Tanglu appears to have the same goals as dozens of other Debian-based projects with nothing to set it apart. At least not yet. Right now the project appears to be focused on getting on-line and getting the first few releases out the door and that is great, the developers are doing a good job so far. What I am wondering is: what happens next? What makes Tanglu more appealing than other fixed-release, Debian-based projects with a focus on the desktop? Why might a user select Tanglu over established distributions such as Lubuntu, Kubuntu or Parsix? Right now Tanglu appears to be a solid distribution, the 1.0 release a good first effort. However, at this (early) point in time Tanglu doesn't appear to be doing anything to set the distribution apart from the rest of the pack. Hopefully that will change with time.

* * * * *

Hardware used in this review

My physical test equipment for this review was a desktop HP Pavilon p6 Series with the following specifications:

Three weeks ago we discussed the Ubuntu GNOME project's proposal to gain long term support status in the Ubuntu community. The project has received its response from the Ubuntu GNOME team and the news is positive. The Ubuntu GNOME project is happy to announce it has long term support for the upcoming 14.04 release. This means Ubuntu GNOME will receive three years of security updates. The Ubuntu GNOME website reported the good news: "Ubuntu GNOME team has responded to the request and Tim (Ubuntu GNOME head of developers) has agreed to extend the support to 3 years instead of 2 years and 3 months. Without a doubt and without a question, this is by far, the biggest and the best achievement for Ubuntu GNOME Community. We're not only an official flavour of Ubuntu, but also got the LTS status."

Following the release of GNOME 3.12, the Ubuntu GNOME team addressed questions they have received regarding the latest version of GNOME. Will the new version of the GNOME desktop be shipped when Ubuntu GNOME 14.04 is released? The answer is negative. "No. Because on the 20th of February 2014 Trusty Tahr Cycle reached feature freeze: `At this point we stop introducing new features, packages, and APIs, and concentrate on fixing bugs in the development release.' That said, there is no time to introduce any new feature and at that time, GNOME 3.12 wasn't yet released." The Ubuntu GNOME team does point out that there is a personal package archive (PPA) featuring the latest version of the GNOME desktop for people who wish to try a more recent version of the graphical environment.

* * * * *

Two weeks ago the PC-BSD project released a small upgrade to their 10.0 release. While people who installed the project's freshly created images appeared to have done so without problems, some users experienced problems upgrading from 10.0 to 10.0.1. As it turns out, people who were experiencing problems were probably connected to a malfunctioning server. As the PC-BSD blog reports, "We heard that there were some users that were experiencing problems upgrading and believe we have found the guilty party. I was able to duplicate the same package upgrade problem that was causing updates to 10.0.1 to fail, and asked Allan over at Scale Engine to give us a hand. Allan was able to track down the issue to a faulty distribution server that was interrupting connections and preventing the upgrades randomly. This server has been removed from service at this time and further work is going into preventing this from happening again in the future." This will hopefully make future upgrades smoother for the project's users.

* * * * *

SliTaz, an extremely lightweight Linux distribution, has gained support for the ARM architecture. Work has gone into the SliTaz project to support ARMv6 with future plans to support ARMv7. The new port of SliTaz means the distribution can be run on the popular Raspberry Pi hobbyist computer. The project's website states: "SliTaz currently supports the ARMv6 (armel) architecture and work is on the stove for armv6hf (hard float) and ARMv7. SliTaz ARM is supported by the official SliTaz project but with its own boot scripts for faster start-up. A base system will use around 20MB of RAM. SliTaz can turn an ARM device into a music or web server, a NAT, an IRC bot, a small desktop and much more."

* * * * *

Many of us are concerned about maintaining secure operating systems. It is a challenge in the Internet Age to maintain one's security and privacy. Many applications leak information to the Internet and it is hard to know what we should trust and what cannot be trusted. The Digital Era website is trying to help. The site discusses important issues such as anonymity, security and privacy and offers tips on how to stay safe on-line. Not surprisingly, one of recommendations is to use a Linux-based operating system. The Digital Era site covers such topics as using proxies, setting up firewalls and Tor. It is a valuable resource for people who want to improve their on-line privacy and are looking for a place to start that is not overwhelmingly technical.

Tips and Tricks (by Jesse Smith)

Command line tips and tricks

You may have heard that it is a bad idea to enter any sort of sensitive information on the command line. Tutorials often warn against supplying a username or (more often) a password as an argument to a command line program. The reason for this is it is possible for other users on the system to see the commands you type. Running programs like top or ps allow other users to see the commands you type, including all the parameters you supply. This means other users on the same computer can watch the commands you type and look for login credentials or other sensitive information.

One way to avoid having credentials stolen is to hide one user's processes from every other user. Process information, including the command line which spawned the process, can be found under the system's /proc directory. We can alter the information available under the /proc directory so that we can see our own process information, but another user cannot spy on our processes. To alter the way the /proc directory works we can issue a remount command and tell mount to hide our process information from other users. The mount command that follows adjusts the /proc directory so that we can see our own process information, but other users cannot.

mount -o remount /proc -o hidepid=2

If we now look in the /proc directory we will see a list of our own processes, but none belonging to other users. Likewise, if we run the top or ps commands to see a list of running processes, only our own processes will be listed. Other users will only see their own processes too, making it harder to spy on our command line activity.

Should we wish to make this change to the /proc directory permanent, we can open the /etc/fstab file which details which file systems will be mounted and with what parameters. We can add the following line to our /etc/fstab file to make sure our process information always remains hidden from other users on the system.

proc /proc proc defaults,hidepid=2 0 0

This behaviour of hiding process information from other users will likely become default behaviour in distributions in the future. The Debian team, for instance, is looking to enable process hiding by default in order to protect users from accidental information leaks.

* * * * *

Looking at the comments at the bottom of each issue of DistroWatch Weekly you will find that each comment includes, among other bits of information, a guess as to where the comment writer is located in the world. If you have ever wondered how to get the geographical location of an IP address, then the following command line tricks are for you. Virtually every Linux distribution and BSD operating system includes a command called curl which can transfer information over the Internet using URLs. We can use the curl command to contact an IP-to-geographical location service. For instance, the website ipinfo.io will take a given IP address and attempt to tell us where it is located. From the command line this looks like

curl ipinfo.io/74.125.226.37

Note we start with the curl command, add the name of the web service we wish to use and then add the IP address we wish to lookup. We should get back a city, a region (province or state) and the country where the IP address is located.

Another command line program we can use is called geoiplookup and is packaged in most Linux distributions as either geoip or geoip-bin. The geoiplookup command simply accepts an IP address on the command line and returns the name of a country.

geoiplookup 74.125.226.37

The syntax of geoiplookup is a little easier to remember and, while it returns less detailed information, its straight forward nature makes this program an attractive tool.

Humour (by Jesse Smith)

Website Migration: Moving on from Debian

Long time DistroWatch readers may remember that this site ran on FreeBSD, once upon a time. The powerful server operating system worked well for DistroWatch until, in 2007, DistroWatch fell victim to a massive distributed denial of service attack. In the wake of the attack an effort was made to get the website up and running again as quickly as possible using a fresh installation. While FreeBSD is a fast and stable operating system, the initial configuration of FreeBSD and the required services would take a significant amount of time. Even if binary packages were used in place of compiling software ports from scratch, a new installation of FreeBSD would take a relatively long time to put in place. Debian, on the other hand, takes a short time to install and automates many of the steps required to put a web server in place. In the name of expediency, the decision was made to perform a fresh installation with Debian on the DistroWatch server. Over the past six years Debian has served DistroWatch fairly well and, despite the occasional minor issue one encounters with any operating system, we have been happy with Debian.

With all that being said, as happy as we have been with our current operating system, the choice to use Debian was made with an eye toward getting up and running as quickly as possible rather than what might be good for DistroWatch in the long-term. Some software and scripts which ship with Debian are perpetually out of date, Debian's policy of "release when it's ready" means it is hard to plan upgrades to new versions of the operating system in advance and performance, while good, could probably be improved. As such, we have been looking at various potential alternatives to Debian to see if there might be another platform better suited to our long-term needs.

We looked at a handful of possible operating systems. The recent FreeBSD 10.0 release was tested first, but we found that getting it up and running and then maintaining the required software would take more effort than we felt the performance benefits were worth. The CentOS distribution was seriously considered and tested. We liked the security, performance and stability offered by CentOS, but the distribution comes with the same issues Debian does -- outdated scripts and an uncertain release schedule. The openSUSE distribution was my personal favourite among the contenders. The mighty green distro provided good performance and great admin tools, but concerns were raised about the length of openSUSE's support cycle. Slackware was briefly considered, but its hands-on style of administration and conservative nature provided all the drawbacks of Debian with none of the package management perks of other Linux distributions. It looked, for a time, as though DistroWatch would be sticking with Debian for the foreseeable future. But then I had a chance encounter with a fellow system administrator who had been beta testing some very interesting software.

Before I go any further, I should explain something about how DistroWatch is set up. The DistroWatch website is not hosted on a single server, but rather on three servers which share the workload. When a person connects to distrowatch.com they are, in fact, contacting a load balancing service. The load balancer then passes on the connection to one of three servers (let's call then A, B and C). The page request is then processed by one of these three servers. Each connection gets handled in a "round robin" fashion, spreading out the work. This arrangement further allows us to take one server off-line for maintenance, leaving the other two machines to continue serving up content. The arrangement allows us to process a fairly large number of connections and maintain good uptimes, but carries the drawback of extra work, as we need to make sure all three servers are synchronized.

What my friend had been beta testing is a new technology coming out of Canonical called Net-Ju. Some readers may be familiar with the Ubuntu utility Juju. Juju allows servers to be linked together in a cloud-style infrastructure where resources scale as needed -- all with convenient command line and web-based system administration tools. Net-Ju, which will be provided as an add-on option to Ubuntu Server 14.04, is an extension of Juju. How it works, in a nutshell, is we install Canonical's proprietary Net-Ju service on a fresh Ubuntu Server installation. We then assign the machine a unique identifier. We can then use that unique identifier to connect the Ubuntu server to our Landscape control panel. Each machine added to the Landscape control panel can be placed inside a Net-Ju group, effectively making any Ubuntu-powered machine we want into a member of a distributed cloud. This means any Ubuntu machine anywhere in the world can be made a member of our cloud with only three commands and a couple of mouse clicks. Each machine, or "node", in the Landscape cloud will effectively work together to act as one giant machine. Network connections to any one machine will behave identically to connections made to any other machine in the same group. Further, the Net-Ju service load balances automatically. This means if several connections arrive at any node member at once, the connections are transparently divided up between all the active nodes. Files, meanwhile, are automatically synchronized between all nodes in the Net-Ju cloud.

All of these features sounded good and convenient and Ubuntu's package management tools, being the same as Debian's, would make the servers easy to configure and maintain. Ubuntu's next release will be a supported for five years, which makes it an attractive option. The big remaining concern was performance. The Debian community is understandably proud of their distribution's small resource requirements and high performance and I had doubts as to whether Ubuntu, alone or in a cloud arrangement, could keep up. Luckily I was able to get a month-long trial from Canonical in order to test Net-Ju myself and see how it would behave.

Following the steps in the provided documentation quickly got me set up with a fresh installation of Ubuntu Server. I added Canonical's Net-Ju service and signed into Landscape. It took me a little while to navigate around Landscape's web-based controls, but after a few minutes I had managed to create an empty cloud instance and, shortly after, I used my server's unique identifier to create my Net-Ju cloud. Then the testing began.

In order to test Net-Ju, I created scenarios where an equal number of Ubuntu nodes and Debian servers (laid out in a round robin configuration) would each process an increasingly greater number of web connections. Unsurprisingly, when I had just one Ubuntu server in my cloud and compared it against one Debian server, the Debian server consistently out performed Ubuntu. The Debian server, without its extra cloud overhead, performed approximately 20% faster under any load. This was to be expected, and so I added a second Debian server and a second Ubuntu node to the test.

Then, with a third server of each distribution added, my Ubuntu cloud again scaled better than its Debian counterpart. In the end, I found Ubuntu performed about 25% faster than Debian under traffic loads simulated to be about the same as what DistroWatch sees on most Mondays.

Further investigation turned up additional benefits to working with Canonical's Net-Ju. One problem we sometimes run into at DistroWatch is reader comments not syncing between servers fast enough. This sometimes causes people to believe their comment has been deleted or failed to post in the first place, when in fact the comment simply has not propagated to all of our web servers. The Net-Ju installation links us to Ubuntu's One service which would reduce the time required for files to synchronization and remove the need for us to maintain our own synchronization scripts. In short, this should prevent comments from disappearing. Another benefits is that, due to Canonical's deals with Amazon, made famous via the Ubuntu shopping lens, using Canonical's Net-Ju technology results in higher advertisement commissions from Amazon. This means DistroWatch can generate more income and pass along more money (we estimate 10% more) to open source projects through the donations program. In short, Ubuntu and Debian offer similar package management benefits and Ubuntu provides a more regular support cycle. Ubuntu further offers higher performance under heavy loads, easy system administration and higher revenue that we can then pass on to the community. The only downside is the use of Canonical's proprietary Net-Ju technology, but our philosophical oppositions to closed source software seem outweighed by the benefits offered by the Ubuntu platform.

Such a change from Debian to Ubuntu is not one we will make lightly, of course. Debian, as a server platform, has been very good to us in recent years. Ubuntu currently offers a very attractive solution which could make administration easier and improve our website's performance. Still, before we make the change, we welcome feedback from you, our readership. The last time we switched operating systems it was a choice made in a rush. This time we can pause to consider all the pros and cons and that includes hearing from the people who visit us every week and will actually be making use of the technology. So, please, feel free to e-mail us or leave us a comment below with your thoughts on migrating our server infrastructure from Debian to Ubuntu.

MX-14 "Symbiosis", a special version of antiX developed in full collaboration with the MEPIS Community, has been released for the 32-bit architecture: "It is a midweight OS designed to combine an elegant and efficient desktop with simple configuration, high stability, solid performance and medium-sized footprint. The base depends on the excellent upstream work by Linux, Debian, and Xfce. MX-14 also incorporates the independent and innovative development products Whisker Menu, simsu and gottet, QupZilla Browser, smxi and inxi. We think you will enjoy it! MX-14 is based on Debian 7 'Wheezy' and enhanced with more up to date applications from debian-backports and MEPIS Community repository...." The release announcement can be found on antiX's news page, and screenshots as well as a video introduction can be found on the MX project page.

Legacy OS 2.1 Long Term Support edition, a Puppy-based distribution compatible with old hardware like Pentium III PCs, has been released: "Today sees the release of Legacy OS 2.1 LTS the final Series 2 release ever! While there won't be any new releases for the 2 Series you can still expect new applications will be added to the repository over time. In this release you'll find some new applications and a few that have been update like the Opera web browser. Those who are currently using Legacy OS 2 will notice an improvement in Usability / Look and Feel. A number of configuring applications that once looked more like scripts now look like normal applications. With over 200 menu choices for users to choose from Legacy OS 2.1 LTS brings together a collection of extremely useful applications that could make a Pentium III PC far more useful than a user could imagine. Install once and use for years to come." The release announcement can be found on the Legacy OS website.

Marcos Guglielmetti has announced the availability of Musix GNU+Linux 3.0.1, an update to the Debian-based distribution designed for musicians: "The development team of Musix GNU+Linux is proud to present version 3.0.1 Stable. This is a bugfix release related to installation fail due to lack of grub package. Also, now the ISO image is isohybrid, i.e., supports boot from USB or DVD media. For this version of the installable Live DVD/USB Stable we added some video editors like Kdenlive 0.9.6, Avidemux and Cinelerra, added French and Serbian language support, OpenOffice, solved some minor KDE desktop bugs. Some useful information: User: user; Pass: live." Check the brief release announcement and the package list.

Star Labs - Laptops built for Linux.
View our range including the Star Lite, Star LabTop and more. Available with a choice of Ubuntu, Linux Mint or Zorin OS pre-installed with many more distributions supported. Visit Star Labs for information, to buy and get support.

Cucumber Linux aims to provide a Linux distribution that is usable as an every day, general purpose operating system. It aims to this in as minimalistic a way as possible and in a way that follows the Unix Philosophy. Cucumber Linux favors simplicity and modularity of design over simplicity of use. While developed independently, Cucumber's design is heavily influenced by Slackware Linux.